Table of Contents

Electronic communication includes any communication that is transmitted, acknowledged, stored, downloaded, displayed, or printed by an electronic communication system or service. Given the ubiquitous nature of electronic communication, critical to Commonwealth agencies’ and organizations’ ability to provide efficient constituent support, this policy focuses on the specific category of electronic messaging (i.e., email, instant messaging, etc.) communication and related threats that, if left unmitigated, may lead to a loss of data and/or system integrity, confidentiality, or availability.

Executive Department Agencies, [1] in addition to any agency or third party that connects to the Commonwealth’s wide area network (MAGNet), must comply with this policy.

Executive Department Agencies are required to ensure compliance by any business partner that accesses Executive Department IT Resources or shared environments, e.g. MAGNet; and

Executive Department Agencies are required to ensure compliance by third parties in any aspect of the process of providing goods and services to their agency. These include, but are not limited to, electronic data collection, storage, processing, disposal, dissemination and maintenance. Third parties that interact in any way with Executive Department Commonwealth IT Resources, e.g. MAGNet, are required to comply with this policy.

Other Commonwealth entities are encouraged to adopt, at a minimum, security requirements in accordance with this Enterprise Electronic Messaging Communications Security Policy or a more stringent agency policy that addresses agency specific and business related directives, laws, and regulations.

Commonwealth agencies and organizations must continue to strive for electronic messaging communications reliability, availability, integrity, and performance by supporting enterprise and local agency efforts including, but not limited to, the following:

1. Enterprise Filtering

1.1. Known Viruses: subject line, message body, and attachment(s). Emails containing files with extensions, which are affiliated with a virus, are discarded. Users must be aware that emails containing executable files may be discarded.

1.2. Content Spam: Including subject line and/or specific spam content requested by an agency or otherwise identified as spam.

1.4. Message Segmentation: All multi-part MIME messages will be blocked at the gateway. Message segmentation allows a large message to be divided up into smaller messages for transmission. It is to be noted that these smaller messages may hide viruses and other malicious software. Therefore, message segmentation is banned.

2. Commonwealth Agency & Organization Filtering

Non-MassMail Agencies may continue to deploy local content filtering technology that screens agency-specific transmission of email, subject to restrictive attributes defined by each agency. Agencies that have documented that they have adopted and distributed to all new and current employees an acceptable use policy that states that employees have no expectation of privacy in their workplace email are empowered to content filter outgoing employee email with minimal risk of violating employees’ privacy rights. Even in agencies that have such documentation, content filtering incoming email poses the risk of violating outside parties’ rights under the Commonwealth’s Privacy Law, Mass. Gen. L. ch. 214, and Wiretap Statute, Mass. Gen. L. ch. 272, sec. 99. Agency counsel should consult ITD’s General Counsel prior to advising their clients that they may content filter incoming electronic mail.

3. Private Email Accounts

Use of private email (i.e., a commercial email system or service, separate and apart from an agency's primary email system) and "Public" Instant messaging (IM) have been primary sources of unauthorized intrusion (e.g., virus instantiation) and other instances of malware. Therefore, users who access and utilize private email and “Public” Instant messaging do so with the following understanding:

3.1. Private email or “Public” Instant messaging is not an authorized or official method of communicating business related information. Users are required to utilize their agency’s designated email or IM technology, e.g. MassMail, Lync for any official business communications that are transmitted via email or IM.

3.2. Users are prohibited from downloading or sending attachments using their private email or IM accounts from inside MAGNet.

3.3. ITD reserves the right to log and monitor all traffic that enters or leaves Commonwealth managed networks regardless of whether the traffic is personal in nature or not. Therefore; access and use of a private email or public IM system from a Commonwealth ITR or from within a Commonwealth Managed network should not be considered private.

3.4. Users who are identified as being a source of unauthorized intrusion may be disconnected from the network. Re-establishing connection will be at the discretion of the Enterprise Security Office in consultation with the user’s Senior Management.

4. Exception Requests

If an agency or organization determines that the use of private email and/or Instant Messaging is critical to its mission, the agency head or their designee must request an exception to this policy. Such a request must document reasons the exception is required, under what circumstances, duration, and access controls that will ensure that the agency has taken sufficient steps to mitigate or isolate the associated threat, (e.g., how email account users are prevented from simultaneous access to the agency’s default email and private email accounts). Documented requests for exceptions must be submitted to ITD and the Enterprise Security Board for review and approval prior to agency implementation.

5. Additional Legal Issues

All electronic messages created or received by state employees using the Commonwealth’s information technology resources are public record under the Commonwealth’s Public Records Law, Mass. Gen. L. ch. 66, sec. 10, and most are therefore subject to public scrutiny. All such electronic messages are also records subject to the Commonwealth’s Records Conservation Law, Mass. Gen. L. ch. 30, sec. 42, and must be disposed of, or retained according to the agency’s disposition schedule and the Commonwealth’s Records in Common disposition schedule. The majority of such messages are also potentially discoverable communications for purposes of litigation. Thus Agency heads and organization authorities must ensure that all electronic communications, are retained, disposed of, and disclosed, in compliance with the Public Records Law, the Records Conservation Law and the relevant discovery rules.

6. Compliance

Agencies within the Executive Department must comply with this Enterprise Electronic Messaging Communications Security Policy. All Commonwealth agencies and organizations must comply with this policy as a prerequisite for access to and/or participation within MAGNet, and/or to use information resources managed by ITD. Vendors, who seek to work with any agency or organization within the Commonwealth of Massachusetts, must comply with this and all the Commonwealth’s Enterprise Security Policies, Standards and Procedures as published by ITD..

All agencies and entities governed by the overarching Enterprise Information Security Policy are subject to the referenced roles and responsibilities in addition to those specifically stated within this supporting policy. The roles and responsibilities associated with implementation and compliance with this policy follow:

Assistant Secretary for Information Technology

The Assistant Secretary for Information Technology is responsible for the approval and adoption of the Enterprise Electronic Messaging Communications Security Policy and its revisions.

Secretariat Chief Information Officer (SCIO) and Agency Head

Agency Heads and/or their designees are responsible for ensuring that employees, contractors, and/or business partners that may be affected, are aware of this policy.

Secretariat or Agency Information Security Officer (ISO)

Ensure that the goals and requirements of the Enterprise Electronic Messaging Communications Security Policy are implemented and met.

Enterprise Security Board (ESB)

Recommend revisions and updates to this policy and related standards.

Information Technology Division (ITD)

After review of any related recommendations of the Enterprise Security Board, issue revisions and updates to this policy and related standards.

User Responsibility

Commonwealth agency and organization users must not introduce electronic messages, which may damage the local or enterprise (MAGNet) environment. Items, which could be considered a detriment, include, but are not limited to viruses, distributed denial of service attacks, Trojans, Worms, and/or personal electronic communications contributing to network congestion.

If the user is unsure as to the identity of the sender of an email, the recipient should determine if the email should be deleted without opening it (it is advisable to do so relative to protecting the physical and digital assets of the Commonwealth). The recipient may telephone the sender to ask if the email is legitimate. The recipient may also consult CommonHelp for guidance.

The user should have their email configured so that an email is not automatically opened when a previous email is closed, deleted or moved.

Terms

Key terms used in this policy have been provided below for your convenience. For a full list of terms please refer to the Information Technology Division’s web site where a full glossary of Commonwealth Specific Terms is maintained.

Agency – A department, bureau, commission, board, office, council, or other entity in the executive department of government, created by Massachusetts constitution or statue.

Business Partner – A generic term referring to both contracted business partners and statutory business partners. (See definitions for “Contracted Business Partner” and “Statutory Business Partner” below).

Employees – Agency’s employees or individuals under contract with the agency to provide services and paid directly by the agency whose work is controlled and directed by the agency.

Information Technology (IT) Resources – The Commonwealth’s computers, printers, and other peripherals, programs, local and wide area networks, access to the Internet when provided by the Commonwealth, and remote access methods including VPN.

MAGNet – Commonwealth’s Wide Area Computer Network.

User – Any workforce member (or computer performing automated tasks) with a legitimate reason and purpose to use Commonwealth IT resources.

Document History

[1] The Executive Department is comprised of the Executive Branch minus the Constitutional Offices, i.e., the State Auditor, State Treasurer, the Attorney General, and the Secretary of the Commonwealth.

Tool Name: Baynote, Inc. Recommendations

The information below summarizes privacy policy terms related to content recommendations on Mass.Gov and is excerpted from the full Mass.gov privacy policy.

Purpose: Displays relevant content recommendation based on the site usage pattern of all users of Mass.Gov. If Personalization is enabled (the default setting), your personal site usage pattern today and on prior visits to Mass.gov will be displayed to you and will also be a factor in determining personalized relevant recommendations for you.

Data Collected: A random anonymous unique identifier is assigned and tracked for each user of the website. This identifier is sent to our vendor, Baynote, when you view a page, open a document or click a link on Mass.Gov. Our vendor then analyzes the specific content that was viewed and provides content recommendations to similar content that you may find useful. A full description of what data Baynote collects and how it uses this data is available at http://www.baynote.com/baynote-services-privacy-policy/. Please note that the tool uses persistent cookies. These cookies will be Mass.gov domain cookies and not Baynote domain cookies. The cookies will store information related to a user’s Mass.gov Web site usage, including the URL and title of sites recently visited and the random anonymous unique identifier assigned to the user. In general, and as described in more detail in Baynote’s service privacy policy linked to above, Baynote only uses the personalized information it gathers to provide recommendation services and display past usage for Mass.Gov users and will not share this information with any third parties, including advertisers. The information collected will not affect content you may see on sites unaffiliated with Mass.Gov.

Express Opt Out: If personalization of recommendations based on the content you view is not desired, or you do not wish to display a list of recently viewed Mass.gov pages, you may turn personalization off. You can do this by using either the switch located below in this privacy policy or an identical switch located directly above the content recommendations and recently viewed content boxes displayed on the Mass.gov site. Once you turn off personalization, your content recommendations will be based on the overall traffic patterns of all users of Mass.Gov and they will not specifically take into account your own personal usage patterns. If you turn off personalization, information collected by this Tool that is associated with your content usage will be deleted from your cookies, and no further information about your content usage will be sent to our vendor.

Disabling personalization will affect both content recommendations and recently viewed page links. If you turn off personalization, this “off” setting will persist as you browse Mass.Gov and during any future sessions. The opt-out setting is stored in a persistent cookie on your computer. The setting will remain in effect so long as you use the same computer with the same Internet browser. If you delete the cookie that contains the opt-out setting or use a different browser or computer, personalization will be enabled and you will need to disable it again on your next visit, if desired.

For our full privacy policy, please close this window and see the Site Policies or Privacy Policy link in the footer of the page.